Tech Kaizen: kubernetes ingress controller as Reverse proxy for SSL/TLS Termination

TLS Termination((or SSL termination, or SSL offloading, or Reverse TLS) proxy intercepts and decrypts incoming TLS traffic, such as HTTPS or IMAPS, before it is forwarded to another server. It is a proxy server that is used by an institution to handle incoming TLS connections, decrypting the TLS and passing on the unencrypted request to the institution's other servers (it is assumed that the institution's own network is secure so the user's session data does not need to be encrypted on that part of the link).

TLS termination proxies are used to reduce the load on the main servers by offloading the cryptographic processing to another machine, and to support servers that do not support SSL.

Kubernetes Ingress is an API object that manages external access to the services in a cluster, typically HTTP. Ingress may provide load balancing, SSL termination and name-based virtual hosting. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name based virtual hosting. An Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.

An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

You must have an ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect.You may need to deploy an Ingress controller such as ingress-nginx.

Nginx Ingress Controller:

An Ingress object routes traffic into your cluster to the correct application. By default, an ingress enables a Google Cloud Load Balancer. These are some badass, globally available load balancers that can handle an outrageous amount of traffic. You probably don’t need that for most applications, especially development environments

The Nginx ingress controller is a substitute. Its an application that runs in your cluster and handles routing and load balancing traffic. It’s simple to add an nginx ingress controller; apply the files in this repository

kubectl apply -f nginx-ingress-controller/Copy

It will take a moment for nginx-ingress-lb to acquire an IP address. During that time, running the command kubectl get services -n kube-system will show something like the following:

NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
default-http-backend   10.55.241.224   <nodes>       80:32516/TCP                 11d
heapster               10.55.255.208   <none>        80/TCP                       11d
kube-dns               10.55.240.11    <none>        53/UDP,53/TCP                11d
kubernetes-dashboard   10.55.240.50    <none>        80/TCP                       11d
nginx-ingress-lb       10.55.249.186   <pending>     80:32005/TCP,443:31623/TCP   6sCopy

Where nginx-ingress-lb‘s EXTERNAL-IP is <pending>. Once that <pending> flips to an IP address, note the IP address. Navigate to VPC Network->External IP adresses in the Google Cloud console. Locate the IP address in that list and change it’s type from Ephemeral to Static. (You’ll be prompted for a name which can be whatever you like.)

====

Install Nginx Ingress Controller to your cluster using HELM:

Install nginx ingress controller using HELM => helm install nginx-ingress stable/nginx-ingress --set controller.publishService.enabled=true

Check whether service got installed => kubectl get services -o wide -w nginx-ingress-controller

====

Install nginx ingress controller & ingress resource on Bare-metal Using NodePort:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.35.0/deploy/static/provider/baremetal/deploy.yaml

Verify installation:
kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --watch

Once the ingress controller pods are running, you can cancel the command typing Ctrl+C.

Now, you are ready to create your first ingress =>

Detect installed version:
To detect which version of the ingress controller is running, exec into the pod and run nginx-ingress-controller version command.

POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')

kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version

Using Helm:
NGINX Ingress controller can be installed via Helm using the chart from the project repository.

To install the chart with the release name ingress-nginx:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install my-release ingress-nginx/ingress-nginx

Detect installed version:

POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version

====

ref:

Wiki - https://en.wikipedia.org/wiki/TLS_termination_proxy

SSL/TLS Termination Reverse Proxy - https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/

Kubernetes TLS Termination =>

1. https://www.magalix.com/blog/implemeting-a-reverse-proxy-server-in-kubernetes-using-the-sidecar-pattern

2. https://www.getambassador.io/docs/latest/howtos/tls-termination/

3. https://kubernetes.github.io/ingress-nginx/examples/tls-termination/

4. https://kubernetes-on-aws.readthedocs.io/en/latest/user-guide/tls-termination.html

Kubernetes ingress =>

1. https://kubernetes.io/docs/concepts/services-networking/ingress/

2. https://github.com/kylemcc/kube-nginx-proxy